How to Protect Cyber Threats to the Supply Chain

By Brett Powers • November 9, 2021

As the cybersecurity landscape continues to evolve and threats continue to infiltrate the IT infrastructure of companies across the globe, it is more important than ever to ensure that your company and your data is protected, especially when doing business with the Department of Defense (DoD). One mechanism in place to help accomplish this herculean task is 48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting.

 

About DFARS 252.204-7012, Clause M

The DoD is requiring compliance with this mandate to help secure the supply chain of the defense industrial base (DIB). With countless contractors and subcontractors engaging with the DoD, it can be a challenge to make sure all the companies take cybersecurity seriously.

Consider all of the different layers within the supply chain. What gets overlooked sometimes is the requirements on how each supplier needs to protect controlled unclassified information (CUI). The DFARS 7012 clause states that for every subcontract, a contractor has to flow down the original information handling requirements to the companies that they are subcontracting with.

 

Why is it necessary?

Foreign adversaries are starting to detect and piece together information. Individually finite pieces of unclassified data might seem inconsequential, but when aggregated the information could yield intel on a classified hardware.

This clause helps ameliorate the overall impact of information loss. By ensuring that your subcontractors guard against data breaches, you are protecting your sub, your own company, and the DoD. If a breach occurs, this clause requires that not only are you notified, but you also flow that information upstream, back to the DIB Cybersecurity Assessment Center (CAC), helping secure all points of the data flow.

 

What you need to do

As a contractor or subcontractor, you are required to include this clause in subcontracts or similar contextual contractual agreements. The full text is available here.

As a prime contractor

  • Add the above clause in the contract with your subcontractor. Make sure to include all the verbiage within the contract, which states what the subcontractor is required to do.
  • Keep your subcontractors informed and accountable. Your subcontractors are potentially putting you at additional risk with how they handle the information you are flowing down to them. Any of your subcontractors hiring additional contractors below them also need to include this clause in their contracts.

As a subcontractor

  • Make sure you safeguard the covered defense information by maintaining adequate security to protect any CUI that flows to your organization. You are held to the requirements in NIST Special Publication, 800-171A, which details protections for CUI in non-federal information systems.
  • Report incidents or data breaches. It is required that subcontractors notify the prime contractor when submitting a request to vary from the security rules, as well as to provide the incident report number automatically signed by the DoD to the prime when a cyber incident has been identified.

 

Some contractors and subcontractors who are not doing this, are putting themselves at increased risk for penalties from the government. Further incentivizing compliance is the escalating severity of the consequence of non-compliance, ranging from jail time to loss of future contracts resulting in a hit to your company’s bottom line.

 

If you have any questions about clause M and how to secure your CUI, you can rely on the experts at CyberSheath to help. Contact us today to get started.

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO